Finite countermodels for safety verification of parameterized tree systems

In this paper we deal with verification of safety properties of parameterized systems with a tree topology. The verification problem is translated to a purely logical problem of finding a finite countermodel for a first-order formula, which further resolved by a generic finite model finding procedure. A finite countermodel method is shown is at least as powerful as regular tree model checking and as the methods based on monotonic abstraction and backwards symbolic reachability. The practical efficiency of the method is illustrated on a set of examples taken from the literature.

💡 Research Summary

The paper presents a novel approach to safety verification of parameterized systems whose configurations are naturally represented as trees. Traditional techniques for such systems include Regular Tree Model Checking (RTMC), which combines tree automata for initial and unsafe states with a tree transducer describing one‑step transitions, and methods based on monotonic abstraction or backward symbolic reachability. These approaches either construct an over‑approximation of the transitive closure of the transition relation or rely on abstract domains, and their completeness is limited to specific classes of systems.

The authors propose to recast the entire verification problem as a purely logical task: given a first‑order sentence Φ that encodes the initial automaton, the unsafe automaton, and the transition transducer, safety reduces to showing that Φ does not entail the existential formula
∃x∃y Init₁(x) ∧ R(x,y) ∧ Unsafe₁(y).
In other words, one must demonstrate that there is no finite sequence of transitions (captured by the binary predicate R) leading from an initial configuration (Init₁) to an unsafe configuration (Unsafe₁).

The encoding proceeds as follows. Every state of the automata and every alphabet symbol becomes a constant or a function symbol in the first‑order language. Unary predicates Init₁ and Unsafe₁ denote “this term represents an initial/unsafe tree”. Binary predicates Init₂ and Unsafe₂ capture the stepwise acceptance conditions of the automata, while a ternary predicate T encodes the one‑step transition rules of the transducer. The transitive closure of the transition relation is axiomatized by the reflexivity and transitivity clauses R(x,x) and R(x,y)∧R(y,z)→R(x,z). The set Φ consists of universally quantified Horn clauses that faithfully mirror the transition rules of the three components.

Two key theoretical results are proved. First, adequacy: if a tree τ belongs to the language of the initial (resp. unsafe) automaton, then Φ proves Init₁(t_τ) (resp. Unsafe₁(t_τ)), where t_τ is the term obtained by recursively translating τ into a first‑order term. Second, relative completeness: whenever RTMC can answer “safe” for a given instance, there exists a finite model of Φ that falsifies the existential safety violation formula. The proof constructs a finite domain from the states of a deterministic automaton recognizing a regular over‑approximation of the reachable set, and defines interpretations of the function and predicate symbols accordingly. Consequently, any complete finite‑model finder (e.g., Mace4, Paradox) that can search for countermodels of first‑order sentences will be at least as powerful as RTMC, and also as powerful as monotonic abstraction and backward reachability methods, because their abstractions can be expressed in the same logical framework.

The methodology is illustrated on the classic “two‑way token” protocol. The protocol consists of processes arranged in a binary tree, each holding a binary token flag. The safety property states that at most one token may be present at any time. The authors encode the initial configurations (exactly one token), the unsafe configurations (two or more tokens), and the token‑passing rules as a tree transducer. The resulting first‑order theory Φ is fed to the Mace4 finite‑model finder. Mace4 fails to find a model of the existential violation formula, thereby confirming safety for trees of arbitrary size. This experiment demonstrates that the finite‑countermodel (FCM) method can handle non‑trivial parameterized systems without explicitly constructing the transitive closure of the transition relation.

In summary, the paper establishes a bridge between parameterized tree‑system verification and finite‑model finding in first‑order logic. By showing that any positive answer obtained by RTMC admits a finite countermodel, the authors prove that the FCM approach is at least as expressive as the state‑of‑the‑art techniques. Moreover, because the encoding uses only standard first‑order constructs, the method can leverage any mature finite‑model search tool, offering a uniform and potentially more scalable verification pipeline for a wide class of infinite‑state, parameterized systems.